subject:"\[dspace\-tech\] Re\: Shibboleth on DSpace 7.2 won't work for unknown reasons"

Re: [dspace-tech] Re: Shibboleth on DSpace 7.2 won't work for unknown reasons

2023-06-30 Thread Matthias Letsch

Hello Mark, thank You, I know, I just twisted it here. Still, now it works
without it but it won't if I have it inserted.

Thank you again for your help and have a great weekend!
Matthias

Am Fr., 30. Juni 2023 um 18:39 Uhr schrieb Mark H. Wood <
mwoodiu...@gmail.com>:

> On Fri, Jun 30, 2023 at 01:11:28AM -0700, Matthias Letsch wrote:
> > Thank you for your reply.
> >
> > I have the OIDs delivered by the IDP which are the following:
> >
> > urn:oid:1.3.6.1.4.1.5923.1.1.1.6
> > urn:oid:2.5.4.42
> > urn:oid:2.5.4.4
> > urn:oid:0.9.2342.19200300.100.1.3
> > urn:oid:2.16.840.1.113730.3.1.241
> >
> > So this is what I put into attribute-map.xml:
> >
> > 
> > 
> > 
> > 
> > 
> >
> > And this is on the other side in
> > [dspace-backend]/config/modules/authentication-shibboleth.cfg:
> >
> > authentication-shibboleth.netid-header = SHIB-NETID
> > authentication-shibboleth.email-header = SHIB-MAIL
> > (...)
> > authentication-shibboleth.firstname-header = SHIB-GIVENNAME
> > authentication-shibboleth.lastname-header = SHIB-SURNAME
> >
> > If I have the attributePrefix="_AJP" in shibboleth2.xml, nothing at all
> > arrives at DSpace from the login attempt. (403)
>
> That should be "AJP_" not "_AJP".  See
> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html#env
>
> > If I delete it, at least there is a 401 "authentication failed" and
> > dspace.log throws the error mentioned above.
> >
> > I added 'allowedRequestAttributesPattern='SHIB-.*' to the AJP connector
> in
> > tomcat9/conf/server.xml
> >
> > The inherited result is still the same. To make matters worse, now this
> > morning after these minimal changes in the Shib XML files and in
> > server.xml, for some reason the following came up when I tried to reload
> > the page:
> >
> > Service Unavailable
> >
> > The server is temporarily unable to service your request due to
> maintenance
> > downtime or capacity problems. Please try again later.
> >
> > Apache/2.4.38 (Debian) Server at ... Port 443
> >
> > After resetting to the state before these changes the service runs
> normally
> > again (still without Shibboleth of course).Is it possible that it is
> > somehow due to the module? I don't know exactly, because our DSpace was
> > originally installed by an external company, but I guess that at the
> moment
> > only mod_proxy is used for the communication between Apache and Tomcat.
> >
> > Kind regards,
> > Matthias
> > Mark H. Wood schrieb am Donnerstag, 29. Juni 2023 um 15:57:26 UTC+2:
> >
> > > On Thu, Jun 29, 2023 at 03:10:32AM -0700, Matthias Letsch wrote:
> > > > This has at least resulted in the 403 becoming a 401 and DSpace
> noticing
> > > > something about the login attempt, which I consider positive
> progress.
> > > >
> > > > However, DSpace now complains in the logs that it cannot find the
> > > required
> > > > attributes:
> > > >
> > > > 2023-06-29 11:58:35,693 ERROR unknown unknown
> > > > org.dspace.authenticate.ShibAuthentication @ Shibboleth
> authentication
> > > was
> > > > not able to find a NetId, Email, or Tomcat Remote user for which to
> > > > indentify a user from.
> > > > 2023-06-29 11:58:35,707 ERROR unknown unknown
> > > > org.dspace.authenticate.ShibAuthentication @ Unable to register new
> > > eperson
> > > > because we are unable to find an email address along with first and
> last
> > > > name for the user.
> > > > NetId Header: 'SHIB-NETID'='null' (Optional)
> > > > Email Header: 'SHIB-MAIL'='null'
> > > > First Name Header: 'SHIB-GIVENNAME'='null'
> > > > Last Name Header: 'SHIB-SURNAME'='null'
> > > > 2023-06-29 11:58:35,709 INFO unknown unknown
> > > > org.dspace.app.rest.security.EPersonRestAuthenticationProvider @
> > > > anonymous::failed_login:email=null, result=4
> > > > 2023-06-29 11:58:35,719 ERROR unknown unknown
> > > > org.dspace.app.rest.security.StatelessLoginFilter @ Authentication
> > > failed
> > > > (status:401)
> > > > org.springframework.security.authentication.BadCredentialsException:
> > > Login
> > > > failed
> > > >
> > > > So I guess I need to modify the attribute-map.xml accordingly to
> match
> > > the
> > > > expected attributes under
> > > > [dspace]/config/modules/authentication-shibboleth.cfg.
> > > >
> > > > The documentation at
> > > >
> > >
> https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
> > > > provides a template for attribute-map with the attributes that seem
> to
> > > > match at first glance.
> > > >
> > > > But unfortunately that alone does not change anything for us. Do you
> > > > possibly know more about this?
> > >
> > > You need to know the OIDs used by your Shibboleth IDP to label the
> > > attributes that you want. These may vary from site to site.
> > > attribute-map.xml maps them to names SHIB-NETID and the rest. If you
> > > don't give the right OIDs, nothing will be mapped into the request.
> > >
> > > You also need to know (or set) the request attributes that DSpace
> > > expects. That's the other side of

Re: [dspace-tech] Re: Shibboleth on DSpace 7.2 won't work for unknown reasons

2023-06-30 Thread Mark H. Wood

On Fri, Jun 30, 2023 at 01:11:28AM -0700, Matthias Letsch wrote:
> Thank you for your reply.
> 
> I have the OIDs delivered by the IDP which are the following:
> 
> urn:oid:1.3.6.1.4.1.5923.1.1.1.6 
> urn:oid:2.5.4.42 
> urn:oid:2.5.4.4 
> urn:oid:0.9.2342.19200300.100.1.3 
> urn:oid:2.16.840.1.113730.3.1.241 
> 
> So this is what I put into attribute-map.xml: 
> 
> 
> 
> 
> 
> 
> 
> And this is on the other side in 
> [dspace-backend]/config/modules/authentication-shibboleth.cfg:
> 
> authentication-shibboleth.netid-header = SHIB-NETID
> authentication-shibboleth.email-header = SHIB-MAIL
> (...)
> authentication-shibboleth.firstname-header = SHIB-GIVENNAME
> authentication-shibboleth.lastname-header = SHIB-SURNAME
> 
> If I have the attributePrefix="_AJP" in shibboleth2.xml, nothing at all 
> arrives at DSpace from the login attempt. (403)

That should be "AJP_" not "_AJP".  See
https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html#env

> If I delete it, at least there is a 401 "authentication failed" and 
> dspace.log throws the error mentioned above.
> 
> I added 'allowedRequestAttributesPattern='SHIB-.*' to the AJP connector in 
> tomcat9/conf/server.xml
> 
> The inherited result is still the same. To make matters worse, now this 
> morning after these minimal changes in the Shib XML files and in 
> server.xml, for some reason the following came up when I tried to reload 
> the page: 
> 
> Service Unavailable
> 
> The server is temporarily unable to service your request due to maintenance 
> downtime or capacity problems. Please try again later.
> 
> Apache/2.4.38 (Debian) Server at ... Port 443
> 
> After resetting to the state before these changes the service runs normally 
> again (still without Shibboleth of course).Is it possible that it is 
> somehow due to the module? I don't know exactly, because our DSpace was 
> originally installed by an external company, but I guess that at the moment 
> only mod_proxy is used for the communication between Apache and Tomcat.
> 
> Kind regards,
> Matthias
> Mark H. Wood schrieb am Donnerstag, 29. Juni 2023 um 15:57:26 UTC+2:
> 
> > On Thu, Jun 29, 2023 at 03:10:32AM -0700, Matthias Letsch wrote:
> > > This has at least resulted in the 403 becoming a 401 and DSpace noticing 
> > > something about the login attempt, which I consider positive progress.
> > > 
> > > However, DSpace now complains in the logs that it cannot find the 
> > required 
> > > attributes:
> > > 
> > > 2023-06-29 11:58:35,693 ERROR unknown unknown 
> > > org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication 
> > was 
> > > not able to find a NetId, Email, or Tomcat Remote user for which to 
> > > indentify a user from.
> > > 2023-06-29 11:58:35,707 ERROR unknown unknown 
> > > org.dspace.authenticate.ShibAuthentication @ Unable to register new 
> > eperson 
> > > because we are unable to find an email address along with first and last 
> > > name for the user.
> > > NetId Header: 'SHIB-NETID'='null' (Optional)
> > > Email Header: 'SHIB-MAIL'='null'
> > > First Name Header: 'SHIB-GIVENNAME'='null'
> > > Last Name Header: 'SHIB-SURNAME'='null'
> > > 2023-06-29 11:58:35,709 INFO unknown unknown 
> > > org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ 
> > > anonymous::failed_login:email=null, result=4
> > > 2023-06-29 11:58:35,719 ERROR unknown unknown 
> > > org.dspace.app.rest.security.StatelessLoginFilter @ Authentication 
> > failed 
> > > (status:401)
> > > org.springframework.security.authentication.BadCredentialsException: 
> > Login 
> > > failed
> > > 
> > > So I guess I need to modify the attribute-map.xml accordingly to match 
> > the 
> > > expected attributes under 
> > > [dspace]/config/modules/authentication-shibboleth.cfg. 
> > > 
> > > The documentation at 
> > > 
> > https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
> >  
> > > provides a template for attribute-map with the attributes that seem to 
> > > match at first glance. 
> > > 
> > > But unfortunately that alone does not change anything for us. Do you 
> > > possibly know more about this?
> >
> > You need to know the OIDs used by your Shibboleth IDP to label the
> > attributes that you want. These may vary from site to site.
> > attribute-map.xml maps them to names SHIB-NETID and the rest. If you
> > don't give the right OIDs, nothing will be mapped into the request.
> >
> > You also need to know (or set) the request attributes that DSpace
> > expects. That's the other side of the mapping.
> >
> > Here we are using attributePrefix='AJP_' and it works. We do not set
> > ShibUseHeaders. Tomcat will strip the prefix and pass the attributes
> > through in the Request. But Tomcat must be configured to accept more
> > than the default set of attributes: the AJP connector must have
> > 'allowedRequestAttributesPattern='SHIB-.*' to let them through.
> >
> > -- 
> > Mark H. Wood
> > Lead Technology Analyst
> >
> > University

Re: [dspace-tech] Re: Shibboleth on DSpace 7.2 won't work for unknown reasons

2023-06-30 Thread Matthias Letsch

Hi together, 

I solved it. I still had to adjust the 
apache2/sites-enabled/default-ssl.conf exactly according to the template on 
the documentation: 
https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication

Now it works.

Matthias Letsch schrieb am Freitag, 30. Juni 2023 um 10:11:28 UTC+2:

> Thank you for your reply.
>
> I have the OIDs delivered by the IDP which are the following:
>
> urn:oid:1.3.6.1.4.1.5923.1.1.1.6 
> urn:oid:2.5.4.42 
> urn:oid:2.5.4.4 
> urn:oid:0.9.2342.19200300.100.1.3 
> urn:oid:2.16.840.1.113730.3.1.241 
>
> So this is what I put into attribute-map.xml: 
>
> 
> 
> 
> 
> 
>
> And this is on the other side in 
> [dspace-backend]/config/modules/authentication-shibboleth.cfg:
>
> authentication-shibboleth.netid-header = SHIB-NETID
> authentication-shibboleth.email-header = SHIB-MAIL
> (...)
> authentication-shibboleth.firstname-header = SHIB-GIVENNAME
> authentication-shibboleth.lastname-header = SHIB-SURNAME
>
> If I have the attributePrefix="_AJP" in shibboleth2.xml, nothing at all 
> arrives at DSpace from the login attempt. (403)
> If I delete it, at least there is a 401 "authentication failed" and 
> dspace.log throws the error mentioned above.
>
> I added 'allowedRequestAttributesPattern='SHIB-.*' to the AJP connector in 
> tomcat9/conf/server.xml
>
> The inherited result is still the same. To make matters worse, now this 
> morning after these minimal changes in the Shib XML files and in 
> server.xml, for some reason the following came up when I tried to reload 
> the page: 
>
> Service Unavailable
>
> The server is temporarily unable to service your request due to 
> maintenance downtime or capacity problems. Please try again later.
>
> Apache/2.4.38 (Debian) Server at ... Port 443
>
> After resetting to the state before these changes the service runs 
> normally again (still without Shibboleth of course).Is it possible that it 
> is somehow due to the module? I don't know exactly, because our DSpace was 
> originally installed by an external company, but I guess that at the moment 
> only mod_proxy is used for the communication between Apache and Tomcat.
>
> Kind regards,
> Matthias
> Mark H. Wood schrieb am Donnerstag, 29. Juni 2023 um 15:57:26 UTC+2:
>
>> On Thu, Jun 29, 2023 at 03:10:32AM -0700, Matthias Letsch wrote: 
>> > This has at least resulted in the 403 becoming a 401 and DSpace 
>> noticing 
>> > something about the login attempt, which I consider positive progress. 
>> > 
>> > However, DSpace now complains in the logs that it cannot find the 
>> required 
>> > attributes: 
>> > 
>> > 2023-06-29 11:58:35,693 ERROR unknown unknown 
>> > org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication 
>> was 
>> > not able to find a NetId, Email, or Tomcat Remote user for which to 
>> > indentify a user from. 
>> > 2023-06-29 11:58:35,707 ERROR unknown unknown 
>> > org.dspace.authenticate.ShibAuthentication @ Unable to register new 
>> eperson 
>> > because we are unable to find an email address along with first and 
>> last 
>> > name for the user. 
>> > NetId Header: 'SHIB-NETID'='null' (Optional) 
>> > Email Header: 'SHIB-MAIL'='null' 
>> > First Name Header: 'SHIB-GIVENNAME'='null' 
>> > Last Name Header: 'SHIB-SURNAME'='null' 
>> > 2023-06-29 11:58:35,709 INFO unknown unknown 
>> > org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ 
>> > anonymous::failed_login:email=null, result=4 
>> > 2023-06-29 11:58:35,719 ERROR unknown unknown 
>> > org.dspace.app.rest.security.StatelessLoginFilter @ Authentication 
>> failed 
>> > (status:401) 
>> > org.springframework.security.authentication.BadCredentialsException: 
>> Login 
>> > failed 
>> > 
>> > So I guess I need to modify the attribute-map.xml accordingly to match 
>> the 
>> > expected attributes under 
>> > [dspace]/config/modules/authentication-shibboleth.cfg. 
>> > 
>> > The documentation at 
>> > 
>> https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
>>  
>> > provides a template for attribute-map with the attributes that seem to 
>> > match at first glance. 
>> > 
>> > But unfortunately that alone does not change anything for us. Do you 
>> > possibly know more about this? 
>>
>> You need to know the OIDs used by your Shibboleth IDP to label the 
>> attributes that you want. These may vary from site to site. 
>> attribute-map.xml maps them to names SHIB-NETID and the rest. If you 
>> don't give the right OIDs, nothing will be mapped into the request. 
>>
>> You also need to know (or set) the request attributes that DSpace 
>> expects. That's the other side of the mapping. 
>>
>> Here we are using attributePrefix='AJP_' and it works. We do not set 
>> ShibUseHeaders. Tomcat will strip the prefix and pass the attributes 
>> through in the Request. But Tomcat must be configured to accept more 
>> than the default set of attributes: the AJP connector must have 
>>

Re: [dspace-tech] Re: Shibboleth on DSpace 7.2 won't work for unknown reasons

2023-06-30 Thread Matthias Letsch

Thank you for your reply.

I have the OIDs delivered by the IDP which are the following:

urn:oid:1.3.6.1.4.1.5923.1.1.1.6 
urn:oid:2.5.4.42 
urn:oid:2.5.4.4 
urn:oid:0.9.2342.19200300.100.1.3 
urn:oid:2.16.840.1.113730.3.1.241 

So this is what I put into attribute-map.xml: 







And this is on the other side in 
[dspace-backend]/config/modules/authentication-shibboleth.cfg:

authentication-shibboleth.netid-header = SHIB-NETID
authentication-shibboleth.email-header = SHIB-MAIL
(...)
authentication-shibboleth.firstname-header = SHIB-GIVENNAME
authentication-shibboleth.lastname-header = SHIB-SURNAME

If I have the attributePrefix="_AJP" in shibboleth2.xml, nothing at all 
arrives at DSpace from the login attempt. (403)
If I delete it, at least there is a 401 "authentication failed" and 
dspace.log throws the error mentioned above.

I added 'allowedRequestAttributesPattern='SHIB-.*' to the AJP connector in 
tomcat9/conf/server.xml

The inherited result is still the same. To make matters worse, now this 
morning after these minimal changes in the Shib XML files and in 
server.xml, for some reason the following came up when I tried to reload 
the page: 

Service Unavailable

The server is temporarily unable to service your request due to maintenance 
downtime or capacity problems. Please try again later.

Apache/2.4.38 (Debian) Server at ... Port 443

After resetting to the state before these changes the service runs normally 
again (still without Shibboleth of course).Is it possible that it is 
somehow due to the module? I don't know exactly, because our DSpace was 
originally installed by an external company, but I guess that at the moment 
only mod_proxy is used for the communication between Apache and Tomcat.

Kind regards,
Matthias
Mark H. Wood schrieb am Donnerstag, 29. Juni 2023 um 15:57:26 UTC+2:

> On Thu, Jun 29, 2023 at 03:10:32AM -0700, Matthias Letsch wrote:
> > This has at least resulted in the 403 becoming a 401 and DSpace noticing 
> > something about the login attempt, which I consider positive progress.
> > 
> > However, DSpace now complains in the logs that it cannot find the 
> required 
> > attributes:
> > 
> > 2023-06-29 11:58:35,693 ERROR unknown unknown 
> > org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication 
> was 
> > not able to find a NetId, Email, or Tomcat Remote user for which to 
> > indentify a user from.
> > 2023-06-29 11:58:35,707 ERROR unknown unknown 
> > org.dspace.authenticate.ShibAuthentication @ Unable to register new 
> eperson 
> > because we are unable to find an email address along with first and last 
> > name for the user.
> > NetId Header: 'SHIB-NETID'='null' (Optional)
> > Email Header: 'SHIB-MAIL'='null'
> > First Name Header: 'SHIB-GIVENNAME'='null'
> > Last Name Header: 'SHIB-SURNAME'='null'
> > 2023-06-29 11:58:35,709 INFO unknown unknown 
> > org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ 
> > anonymous::failed_login:email=null, result=4
> > 2023-06-29 11:58:35,719 ERROR unknown unknown 
> > org.dspace.app.rest.security.StatelessLoginFilter @ Authentication 
> failed 
> > (status:401)
> > org.springframework.security.authentication.BadCredentialsException: 
> Login 
> > failed
> > 
> > So I guess I need to modify the attribute-map.xml accordingly to match 
> the 
> > expected attributes under 
> > [dspace]/config/modules/authentication-shibboleth.cfg. 
> > 
> > The documentation at 
> > 
> https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
>  
> > provides a template for attribute-map with the attributes that seem to 
> > match at first glance. 
> > 
> > But unfortunately that alone does not change anything for us. Do you 
> > possibly know more about this?
>
> You need to know the OIDs used by your Shibboleth IDP to label the
> attributes that you want. These may vary from site to site.
> attribute-map.xml maps them to names SHIB-NETID and the rest. If you
> don't give the right OIDs, nothing will be mapped into the request.
>
> You also need to know (or set) the request attributes that DSpace
> expects. That's the other side of the mapping.
>
> Here we are using attributePrefix='AJP_' and it works. We do not set
> ShibUseHeaders. Tomcat will strip the prefix and pass the attributes
> through in the Request. But Tomcat must be configured to accept more
> than the default set of attributes: the AJP connector must have
> 'allowedRequestAttributesPattern='SHIB-.*' to let them through.
>
> -- 
> Mark H. Wood
> Lead Technology Analyst
>
> University Library
> Indiana University - Purdue University Indianapolis
> 755 W. Michigan Street
> Indianapolis, IN 46202
> 317-274-0749 <(317)%20274-0749>
> www.ulib.iupui.edu
>

-- 
All messages to this mailing list should adhere to the Code of Conduct: 
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To

Re: [dspace-tech] Re: Shibboleth on DSpace 7.2 won't work for unknown reasons

2023-06-29 Thread Mark H. Wood

On Thu, Jun 29, 2023 at 03:10:32AM -0700, Matthias Letsch wrote:
> This has at least resulted in the 403 becoming a 401 and DSpace noticing 
> something about the login attempt, which I consider positive progress.
> 
> However, DSpace now complains in the logs that it cannot find the required 
> attributes:
> 
> 2023-06-29 11:58:35,693 ERROR unknown unknown 
> org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication was 
> not able to find a NetId, Email, or Tomcat Remote user for which to 
> indentify a user from.
> 2023-06-29 11:58:35,707 ERROR unknown unknown 
> org.dspace.authenticate.ShibAuthentication @ Unable to register new eperson 
> because we are unable to find an email address along with first and last 
> name for the user.
>   NetId Header: 'SHIB-NETID'='null' (Optional)
>   Email Header: 'SHIB-MAIL'='null'
>   First Name Header: 'SHIB-GIVENNAME'='null'
>   Last Name Header: 'SHIB-SURNAME'='null'
> 2023-06-29 11:58:35,709 INFO  unknown unknown 
> org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ 
> anonymous::failed_login:email=null, result=4
> 2023-06-29 11:58:35,719 ERROR unknown unknown 
> org.dspace.app.rest.security.StatelessLoginFilter @ Authentication failed 
> (status:401)
> org.springframework.security.authentication.BadCredentialsException: Login 
> failed
> 
> So I guess I need to modify the attribute-map.xml accordingly to match the 
> expected attributes under 
> [dspace]/config/modules/authentication-shibboleth.cfg. 
> 
> The documentation at 
> https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication
>  
> provides a template for attribute-map with the attributes that seem to 
> match at first glance. 
> 
> But unfortunately that alone does not change anything for us. Do you 
> possibly know more about this?

You need to know the OIDs used by your Shibboleth IDP to label the
attributes that you want.  These may vary from site to site.
attribute-map.xml maps them to names SHIB-NETID and the rest.  If you
don't give the right OIDs, nothing will be mapped into the request.

You also need to know (or set) the request attributes that DSpace
expects.  That's the other side of the mapping.

Here we are using attributePrefix='AJP_' and it works.  We do not set
ShibUseHeaders.  Tomcat will strip the prefix and pass the attributes
through in the Request.  But Tomcat must be configured to accept more
than the default set of attributes:  the AJP connector must have
'allowedRequestAttributesPattern='SHIB-.*' to let them through.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

-- 
All messages to this mailing list should adhere to the Code of Conduct: 
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/ZJ2Nwy4fJH_UE1jD%40IUPUI.Edu.


signature.asc
Description: PGP signature

[dspace-tech] Re: Shibboleth on DSpace 7.2 won't work for unknown reasons

2023-06-29 Thread Matthias Letsch

Hallo Matti,

thank you very much!

This has at least resulted in the 403 becoming a 401 and DSpace noticing 
something about the login attempt, which I consider positive progress.

However, DSpace now complains in the logs that it cannot find the required 
attributes:

2023-06-29 11:58:35,693 ERROR unknown unknown 
org.dspace.authenticate.ShibAuthentication @ Shibboleth authentication was 
not able to find a NetId, Email, or Tomcat Remote user for which to 
indentify a user from.
2023-06-29 11:58:35,707 ERROR unknown unknown 
org.dspace.authenticate.ShibAuthentication @ Unable to register new eperson 
because we are unable to find an email address along with first and last 
name for the user.
  NetId Header: 'SHIB-NETID'='null' (Optional)
  Email Header: 'SHIB-MAIL'='null'
  First Name Header: 'SHIB-GIVENNAME'='null'
  Last Name Header: 'SHIB-SURNAME'='null'
2023-06-29 11:58:35,709 INFO  unknown unknown 
org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ 
anonymous::failed_login:email=null, result=4
2023-06-29 11:58:35,719 ERROR unknown unknown 
org.dspace.app.rest.security.StatelessLoginFilter @ Authentication failed 
(status:401)
org.springframework.security.authentication.BadCredentialsException: Login 
failed

So I guess I need to modify the attribute-map.xml accordingly to match the 
expected attributes under 
[dspace]/config/modules/authentication-shibboleth.cfg. 

The documentation at 
https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication

provides a template for attribute-map with the attributes that seem to 
match at first glance. 

But unfortunately that alone does not change anything for us. Do you 
possibly know more about this?

Thanks again and best regards
Matthias
Matti Yrjölä schrieb am Mittwoch, 28. Juni 2023 um 18:03:53 UTC+2:

> Hi,
>
> Do you have the attribute attributePrefix="AJP_" set in your 
> ApplicationDefaults (in shibboleth2.xml)?
> I think we had similar problem with that setting as we are using that with 
> older DSpace. 
> Removing the AJP_ prefix and also adding "ShibUseHeaders On" in  
>  and   "/server/api/authn/login"> solved this issue.
>
> There was some discussion in:
> https://github.com/DSpace/DSpace/pull/2651#issuecomment-604902452 
> and
> DSpace 7 Shibboleth Configuration - DSpace - LYRASIS Wiki 
>  
> " The AJP proxy only works (Ben Bosman 
> ) if shibboleth2.xml 
> *doesn't* contain the attribute *attributePrefix="AJP_"* in 
> the ApplicationDefaults. "
>
> Best regards,
> Matti
>
> On Tuesday, June 27, 2023 at 4:33:20 PM UTC+3 Matthias Letsch wrote:
>
>> Hello,
>>
>> for some reason we won't get Shibboleth working.
>>
>> We have a test IdP and test credentials to log in, but something is still 
>> not working. Our colleague from the IDP side says that the communication 
>> between the Shib Daemon on our Server and the Shibboleth IdP is working and 
>> therefore the tasks from his side are finished for now. But he suspects 
>> that Dspace is not communicating properly with shibd and that we have to 
>> change some configurations.
>>
>> As of now I am able get to the Shibboleth login page and to log in with 
>> the test credentials and to accept the metadata usage, but then there is a 
>> HTTP Status 403 report:
>>
>> HTTP Status 403 – Forbidden
>> --
>>
>> *Type* Status Report
>>
>> *Description* The server understood the request but refuses to authorize 
>> it.
>> --
>> Apache Tomcat/9.0.31 (Debian)
>>
>> Has anyone had this problem and knows how to solve it?
>>
>> Thank you and kind regards
>> Matthias
>>
>

-- 
All messages to this mailing list should adhere to the Code of Conduct: 
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/a3a7e624-986c-4b41-8811-0d8535416cd1n%40googlegroups.com.

[dspace-tech] Re: Shibboleth on DSpace 7.2 won't work for unknown reasons

2023-06-28 Thread Matti Yrjölä

Hi,

Do you have the attribute attributePrefix="AJP_" set in your 
ApplicationDefaults (in shibboleth2.xml)?
I think we had similar problem with that setting as we are using that with 
older DSpace. 
Removing the AJP_ prefix and also adding "ShibUseHeaders On" in  
 and   solved this issue.

There was some discussion in:
https://github.com/DSpace/DSpace/pull/2651#issuecomment-604902452 
and
DSpace 7 Shibboleth Configuration - DSpace - LYRASIS Wiki 
 
" The AJP proxy only works (Ben Bosman 
) if shibboleth2.xml *doesn't* 
contain 
the attribute *attributePrefix="AJP_"* in the ApplicationDefaults. "

Best regards,
Matti

On Tuesday, June 27, 2023 at 4:33:20 PM UTC+3 Matthias Letsch wrote:

> Hello,
>
> for some reason we won't get Shibboleth working.
>
> We have a test IdP and test credentials to log in, but something is still 
> not working. Our colleague from the IDP side says that the communication 
> between the Shib Daemon on our Server and the Shibboleth IdP is working and 
> therefore the tasks from his side are finished for now. But he suspects 
> that Dspace is not communicating properly with shibd and that we have to 
> change some configurations.
>
> As of now I am able get to the Shibboleth login page and to log in with 
> the test credentials and to accept the metadata usage, but then there is a 
> HTTP Status 403 report:
>
> HTTP Status 403 – Forbidden
> --
>
> *Type* Status Report
>
> *Description* The server understood the request but refuses to authorize 
> it.
> --
> Apache Tomcat/9.0.31 (Debian)
>
> Has anyone had this problem and knows how to solve it?
>
> Thank you and kind regards
> Matthias
>

-- 
All messages to this mailing list should adhere to the Code of Conduct: 
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/34cb2eac-4f05-42d3-8511-9747531cdda3n%40googlegroups.com.

Re: [dspace-tech] Re: Shibboleth on DSpace 7.2 won't work for unknown reasons

Re: [dspace-tech] Re: Shibboleth on DSpace 7.2 won't work for unknown reasons

Re: [dspace-tech] Re: Shibboleth on DSpace 7.2 won't work for unknown reasons

Re: [dspace-tech] Re: Shibboleth on DSpace 7.2 won't work for unknown reasons

Re: [dspace-tech] Re: Shibboleth on DSpace 7.2 won't work for unknown reasons

[dspace-tech] Re: Shibboleth on DSpace 7.2 won't work for unknown reasons

[dspace-tech] Re: Shibboleth on DSpace 7.2 won't work for unknown reasons

7 matches

Site Navigation

Mail list logo

Footer information